// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package istio.security;
option go_package="pkg/workloadapi/security";

import "google/protobuf/empty.proto";

message Authorization {
  string name = 1;
  string namespace = 2;

  // Determine the scope of this RBAC policy.
  // If set to NAMESPACE, the 'namespace' field value will be used.
  Scope scope = 3;
  // The action to take if the request is matched with the rules.
  // Default is ALLOW if not specified.
  Action action = 4;
  // Set of RBAC policy rules each containing its clauses (To, From, When).
  // If at least one of the rules is matched the policy action will
  // take place.
  // Rules are OR-ed.
  repeated Rule rules = 5;
}

message Rule {
  // Clauses are AND-ed
  // This is a generic form of the authz policy's to, from and when
  repeated Clause clauses = 1;
}

message Clause {
  // The logical behavior between the matches (if there are more than one)
  //  MatchBehavior match_behavior = 1;
  // Matches are OR-ed
  // Match is a generic form of the authz policy's expressions contained in To, From and When.
  repeated Match matches = 2;
}

message Match {
  // Values of specific type are OR-ed
  // If multiple types are set, they are AND-ed

  repeated StringMatch namespaces = 1;
  repeated StringMatch not_namespaces = 2;

  repeated StringMatch principals = 3;
  repeated StringMatch not_principals = 4;

  repeated Address source_ips = 5;
  repeated Address not_source_ips = 6;

  repeated Address destination_ips = 7;
  repeated Address not_destination_ips = 8;

  repeated uint32 destination_ports = 9;
  repeated uint32 not_destination_ports = 10;
}

message Address {
  bytes address = 1;
  uint32 length = 2;
}

message StringMatch {
  oneof match_type {
    // exact string match
    string exact = 1;
    // prefix-based match
    string prefix = 2;

    // suffix-based match
    string suffix = 3;

    google.protobuf.Empty presence = 4;
  }
}

enum Scope {
  // ALL means that the authorization policy will be applied to all workloads
  // in the mesh (any namespace).
  GLOBAL = 0;
  // NAMESPACE means that the policy will only be applied to workloads in a
  // specific namespace.
  NAMESPACE = 1;
  // WORKLOAD_SELECTOR means that the policy will only be applied to specific
  // workloads that were selected by their labels.
  WORKLOAD_SELECTOR = 2;
}

enum Action {
  // Allow the request if it matches with the rules.
  ALLOW = 0;
  // Deny the request if it matches with the rules.
  DENY = 1;
}
